The GDPR requires organisations to maintain a Record Of Data Processing Activity, often called a ROPA. This obligation applies to both controllers and processors and their representatives under article 28 (where applicable). There is an exemption for an organization which employs fewer than 250 people, however this will not apply where the processing:
- is likely to result in a risk to the rights and freedoms of data subjects;
- is not occasional;
- includes special category data or personal data relating to criminal convictions or offences.
Even where an organisation falls within the exemption as it has less than 250 employees, it would make sense to maintain a record of what data is being processed by that organization as part of the organisation’s accountability framework. Furthermore, for data processors whose business is processing data on behalf of controller clients, it is unlikely that the processor would be carrying out “occasional” processing on behalf of those clients and so, would be required to maintain an article 30 record.
Article 30 (1) sets out the minimum information that a controller’s ROPA must contain. It includes the following:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and off the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation. Where one of the article 49 derogations is relied upon to facilitate such transfers, the relevant appropriate safeguards must also be documented;
- Where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures referred to in article 32 (1).
Article 30 (2) requires each processor (or processor’s representative) to maintain a record with the following information:
- the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting (or their representative), and the DPO;
- the categories of processing carried out on behalf of each controller;
- where applicable, transfers of personal data to a third country or an international organisation (as set out in the controllers’ section above).
These records must be written and be available to the supervisory authority on request (article 30 (4) GDPR). As is clear from the description above, The requirements of article 30 must be considered to be the minimum amount of information that should be retained in order to demonstrate compliance with the GDPR. Other documentation will be required to be retained in order to demonstrate accountability eg DPIAs, privacy notices, contracts between controllers and processors etc.
In practice, some organisations, particularly those that are very large and geographically disparate, will use a technological solution to assist in drafting a ROPA. other organisations we’ll use spreadsheets. There is no prescribed modality set out in the GDPR other than a requirement that the ROPA must be written.
Article 28 GDPR requires a controller to “use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this regulation and ensure the protection of the rights of the data subject”
In negotiating data processing agreements between data controllers and data processors, controllers may want to impose a contractual requirement that a processor maintains a ROPA, as evidence of the processor’s compliance activities. This position is supported by the statement in Article 28 (h) GDPR which provides that the contract between the controller and processor shall stipulate that the processor “makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this article.…”
- maintaining an article 30 record of processing activity is statutory requirement for many organisations;
- it may be a contractual requirement for data processors in their contracts with data controller customers and
- it is a helpful, practical measure to assist in demonstrating a controller’s or processor’s compliance with GDPR and meet accountability requirements.
At Pembroke Privacy, we work with clients from government bodies to large tech companies, small organisations and others to draft compliant ROPAs. We have our own Pembroke Privacy ROPA process and we also partner with One Trust, where clients wish to use their technological solutions to assist in creating a ROPA. For further information on how we may be able to help you, please contact your usual Pembroke Privacy contact or email firstname.lastname@example.org.